FALLCHILL

FALLCHILL is a remote administration trojan (RAT) used by threat actors associated with the North Korean government, known as HIDDEN COBRA or Lazarus Group. The RAT has been used by the threat group since at least 2016 to exploit and maintain a presence on the networks of organizations within the aerospace, telecommunications, and finance industries. The trojan typically infects a system either via a first-stage malware or a drive-by download in which a malicious file is unknowingly downloaded onto the user's system after visiting a compromised site. The actors issue commands from their C2 server via dual proxies for added obfuscation.

FALLCHILL collects the following system data to send to its C2:

operating system version information

processor information

system name

local IP address information

unique generated ID

MAC address

FALLCHILL can perform the following functions:

retrieve information about all installed disks

create, start, and terminate a new process

search, read, write, move, and execute files

retrieve and modify file or directory timestamps

change the current directory for a process or file

delete malware and artifacts associated with the malware from the infected system

A successful network intrusion using FALLCHILL could result in the temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.

Technical Details

The United States Computer Emergency Response Team (US-CERT) released a joint Technical Alert detailing FALLCHILL and its use by HIDDEN COBRA, including technical details, network signatures and host-based rules, and mitigation strategies. The alert is available here.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.